This risk disclosure could also help to identify solutions tothe root cause of the problem. Companies would demandindustry-led innovation with a newfound sense of urgency, inorder to eliminate or mitigate the risk reporting in thefollowing year. Companies may turn to their Internet serviceproviders (ISPs) to provide increased managed-securityservices on their behalf. Concurrently, the security-productindustry would have an increased market-driven requirementto deliver products that perform with higher assurancelevels. The research community would also have access todata that would facilitate idea creation and innovativesolutions to increase security across the entire architecture.
The increased data that would result from such risk lingscould also lead to the growth of an insurance industry to helpcompanies absorb costs if the data shows a minimumstandard of due care. Some insurance companies arebeginning to offer policies designed to protect businessesshould they fall victim to intrusions or other forms of onlinedisaster. However, there is still not enough actuarial data onwhich to reliably base the premium rates.
If companies wererequired to disclose intrusions and the associated externalcosts of lost intellectual property or lost productivity, theninsurance policies and costs would be more predictable. Asmore data becomes available, a standard of care, or “bestpractices” of the enterprise, could emerge. This would allowbusinesses to deploy capabilities in a way that would provide
adequate protection, taking into account risk requirements andbusiness operations. Then, if a corporation had implementedadequate defenses of its networks or information assets, and abreach occurred (e.g., illegal copying and movement of data),it could call upon its insurance plan to supplant the losses.Such action would lead to a discussion of liability, and may infact reveal the legal underpinnings associated therein.
This proposal may seem dramatic, and industry mayappeal based on the unintended consequences ofimplementing such a rule in this area, arguing high costsand reduced competitiveness. But regulators can comparethis proposal to the Sarbanes-Oxley Act of 2002, whichintroduced major changes to the regulation of corporategovernance and nancial practice as a result of identiedweaknesses, illustrated by the Enron case, among others.And why shouldn’t the SEC take measures to protect thenear-term economic infrastructure and long-term growth forpublicly traded companies?
3 David Briody, “Full Coverage: How to Hedge Your Cyber Risk,”
, April1, 2007, www.inc.com/magazine/20070401/technology-insurance.html.
Tunin t the FedealCmmunicatins Cmmissin
Concurrent with the SEC option, the President can also turnto the Federal Communications Commission (FCC) to enlistprivate-sector talent, requiring the core telecommunicationsproviders and ISPs to shoulder more of the burden ofprotecting our infrastructure. The major telecommunicationsproviders and ISPs collectively have unparalleled visibilityinto global networks, which enable them with the propertools to detect cyber intrusions and attacks as they areforming and transiting toward their targets.
They even havethe ability to tell the consumer if a computer or network hasbeen infected. For example, Comcast is “expanding a pilotprogram that began in Denver last year, which automaticallyinforms affected customers [by sending them] an e-mail,urging them to visit the company’s security page.”
Customers are receiving alerts, being offered antiviruscustomer service, and receiving free subscriptions toNorton security software. While this enhanced service is inthe nascent stages, these companies also employsophisticated tools and techniques for countering attacks totheir own infrastructure and the networks. So, why doesn’tthe FCC mandate that this service be provided moregenerally, to clean up our infrastructure? Doing so couldopen a dialogue or lead to a request to limit the liability forproviding such a managed security service. Perhaps the“Good Samaritan” clause in the Telecommunications Act of1996 could be reviewed and applied to quell any concernsthat may surface.
4 U.S. House of Representatives, HR 5136, 111th Congress, NationalDefense Authorization Act of 2011.5 Brian Krebs, “Comcast Pushes Bot Alert Program Nationwide,”
Krebs on Security
, 4 October 2010, http://krebsonsecurity.com/2010/10/ comcast-pushes-bot-alert-program-nationwide/.6 The Telecommunications Act of 1996, Pub. L, No. 104-104, 110 Stat. 56.The 1996 Telecommunications Act included a “Good Samaritan”provision designed to protect Internet Service Providers (ISPs) fromliability when they act in good faith to block or screen offensive contenthosted on their systems (Id. § 230[c]).
the President can also turn to the FederalCommunications Commission (FCC) to enlist private-sector talent, requiring the core telecommunicationsproviders and ISPs to shoulder more of the burden ofprotecting our infrastructure.